Solved: Sending Traffic orginating from FW over IPSec tunnel

Pete89 · ‎06-06-2013

Hello,

I have a FW in site B that needs to authenticate VPN users connecting to the FW in site B to a RSA RADIUS server in site A. So, that means the FW would be sending RADUIS traffic via its peer interface to site A. At least that is how the RADIUS server in site A will see the traffic. The RADIUS server will see it as coming from the peer IP of site B right?

The public (peer) interface IP is not part of the interesting traffic, and I wonder if including it might bite me in the a$$.

Does that make any sense?

Thanks!

Adam White · ‎06-06-2013

Maybe add it but do a protocol exclusion in the interesting traffic.

IE exclude esp and isakmp traffic.

Im not sure if this will work, but its worth a try

View solution in original post

Adam White · ‎06-06-2013

Maybe add it but do a protocol exclusion in the interesting traffic.

IE exclude esp and isakmp traffic.

Im not sure if this will work, but its worth a try

Pete89 · ‎06-07-2013

OK I tried what you said and it did not work. Here is what I tried:

Side B

access-list outside_Qwest_www_vlan602_cryptomap extended permit udp host 63.235.7.2 host 10.5.21.10 eq 1645

Side A

access-list outside_Qwest_www_vlan602_cryptomap_3 extended permit udp host 10.5.21.10 eq 1645 host 63.235.7.2

Logs from ASA B:

Jun  7 05:45:14 oakcom1-edge-5515-01.network.higherone.net Jun 07 2013 08:47:00: %ASA-5-713041: Group = 63.144.247.10, IP = 63.144.247.10, IKE Initiator: New Phase 2, Intf outside_Qwest_www_vlan602, IKE Peer 63.144.247.10  local Proxy Address 63.235.7.2, remote Proxy Address 10.5.21.10,  Crypto map (outside_Qwest_www_vlan602_map0)

Logs from ASA A:

Jun  7 08:47:03 hvn1c2-edgefw-5585-01.network.higherone.net Jun 07 2013 08:47:03: %ASA-7-713222: Group = 63.235.7.2, IP = 63.235.7.2, Static Crypto Map check, map = outside_Qwest_www_vlan602_map0, seq = 1, ACL does not match proxy IDs src:63.235.7.2 dst:10.5.21.10

Jun  7 08:47:03 hvn1c2-edgefw-5585-01.network.higherone.net Jun 07 2013 08:47:03: %ASA-7-713024: Group = 63.235.7.2, IP = 63.235.7.2, Received local Proxy Host data in ID Payload:  Address 10.5.21.10, Protocol 17, Port 1645

Doing something wrong or is what I am trying to do impossible??

Jouni Forss · ‎06-07-2013

Hi,

Did you configure NAT0 or other appropriate NAT configuration on the AAA server site firewall which matches the L2L VPN ACL configuration.

The site that originates the connection to the AAA server naturally doesnt need an NAT configuration as the firewall itself generates the traffic.

On the other hand the site with the AAA server needs a NAT rule that makes the AAA servers traffic NATed so that it is forwarded to the L2L VPN between the sites.

- Jouni

Pete89 · ‎06-07-2013

Thank you for pointing that out. I put the NAT 0 on the A side ASA where the RADIUS server resides and I can see the UDP traffic come in but nothing comes back.

Jouni Forss · ‎06-07-2013

Well,

Typically I would probably check routing configuration between the ASA and the server or configure traffic capture on the ASA to see if anything is coming back from the server.

Is there a change that the source IP of the other sides ASA is blocked somewhere between so it cant even get through to the server?

- Jouni

Pete89 · ‎06-07-2013

This is working now. I had a server issue.

The real trick was remembering the NAT 0 for the return traffic.

Thanks to Adam and Jouni for thier help